The present invention relates to computer networks and, more particularly, to a general purpose programmable platform for acceleration of network infrastructure applications.
Computer networks have become a key part of the corporate infrastructure. Organizations have become increasingly dependent on intranets and the Internet and are demanding much greater levels of performance from their network infrastructure. The network infrastructure is being viewed: (1) as a competitive advantage; (2) as mission critical; (3) as a cost center. The infrastructure itself is transitioning from 10 Mb/s (megabits per second) capability to 100 Mb/s capability. Soon, infrastructure capable of 1 Gb/s (gigabits per second) will start appearing on server connections, trunks and backbones. As more and more computing equipment gets deployed, the number of nodes within an organization has also grown. There has been a doubling of users, and a ten-fold increase in the amount of traffic every year.
Network infrastructure applications monitor, manage and manipulate network traffic in the fabric of computer networks. The high demand for network bandwidth and connectivity has led to tremendous complexity and performance requirements for this class of application. Traditional methods of dealing with these problems are no longer adequate.
Several sophisticated software applications that provide solutions to the problems encountered by the network manager have emerged. The main areas for such applications are Security, Quality of Service (QoS)/Class of Service (CoS) and Network Management Examples are: Firewalls; Intrusion Detection; Encryption; Virtual Private Networks (VPN); enabling services for ISPs (load balancing and such); Accounting; Web billing; Bandwidth Optimization; Service Level Management; Commerce; Application Level Management; Active Network Management
There are three conventional ways in which these applications are deployed:
(1) On general purpose computers.
(2) Using single function boxes.
(3) On switches and routers.
It is instructive to examine the issues related to each of these deployment techniques.
General Purpose computers, such as PCs running NT/Windows or workstations running Solaris/HP-UX, etc. are a common method for deploying network infrastructure applications. The typical configuration consists of two or more network interfaces each providing a connection to a network segment. The application runs on the main processor (Pentium/SPARC etc.) and communicates with the Network Interface Controller (NIC) card either through (typically) the socket interface or (in some cases) a specialized driver xe2x80x9cshimxe2x80x9d in the operating system (OS). The xe2x80x9cshimxe2x80x9d approach allows access to xe2x80x9crawxe2x80x9d packets, which is necessary for many of the packet oriented applications. Applications that are end-point oriented, such as proxies can interface to the top of the IP (Internet Protocol) or other protocol stack.
The advantages of running the application on a general purpose computer include: a full development environment; all the OS services (IPC, file system, memory management, threads. I/O etc); low cost due to ubiquity of the platform; stability of the APIs; and assurance that performance will increase with each new generation of the general purpose computer technology.
There are, however, many disadvantages of running the application on a general purpose computer. First, the I/O subsystem on a general purpose computer is optimized to provide a standard connection to a variety of peripherals at reasonable cost and, hence, reasonable performance. 32 b/33 MHz PCI (xe2x80x9cPeripheral Connection Interfacexe2x80x9d, the dominant I/O connection on common general purpose platforms today) has an effective bandwidth in the 50-75 MB/s range. While this is adequate for a few interfaces to high performance networks, it does not scale. Also, there is significant latency involved in accesses to the card. Therefore, any kind of non-pipelined activity results in a significant performance impact.
Another disadvantage is that general purpose computers do not typically have good interrupt response time and context switch characteristics (as opposed to real-time operating systems used in many embedded applications). While this is not a problem for most computing environments, it is far from ideal for a network infrastructure application. Network infrastructure applications have to deal with network traffic operating at increasingly higher speeds and less time between packets. Small interrupt response times and small context switch times are very necessary.
Another disadvantage is that general purpose platforms do not have any specialized hardware that assist with network infrastructure applications. With rare exception, none of the instruction sets for general purpose computers are optimized for network infrastructure applications.
Another disadvantage is that, on a general purpose computer, typical network applications are built on top of the TCP/IP stack. This severely limits the packet processing capability of the application.
Another disadvantage is that packets need to be pulled into the processor cache for processing. Cache fills and write backs become a severe bottleneck for high bandwidth networks.
Finally, general purpose platforms use general purpose operating systems (OS""s). These operating systems are generally not known for having quick reboots on power-cycle or other wiring-closet appliance oriented characteristics important for network infrastructure applications.
There are a couple of different ways to build single function appliances. The first way is to take a single board computer, add in a couple of NIC cards, and run an executive program on the main processor. This approach avoids some of the problems that a general purpose OS brings, but the performance is still limited to that of the base platform architecture (as described above).
A way to enhance the performance is to build special purpose hardware that performs functions required by the specific application very well. Therefore, from a performance standpoint, this can be a very good approach.
There are, however, a couple of key issues with special function appliances. For example, they are not expandable by their very nature. If the network manager needs a new application, he/she will need to procure a new appliance. Contrast this with loading a new application on a desktop PC. In the case of a PC, a new appliance is not needed with every new application.
Finally, if the solution is not completely custom, it is unlikely that the solution is scalable. Using a PC or other single board computer as the packet processor for each location at which that application is installed is not cost-effective.
Another approach is to deploy a scaled down version of an application on switches and routers which comprise the fabric of the network. The advantages of this approach are that: (1) no additional equipment is required for the deployment of the application; and (2) all of the segments in a network are visible at the switches.
There are a number of problems with this approach.
One disadvantage is that the processing power available at a switch or router is limited. Typically, this processing power is dedicated to the primary business of the switch/routerxe2x80x94switching or routing. When significant applications have to be run on these switches or routers, their performance drops.
Another disadvantage is that not all nodes in a network need to be managed in the same way. Putting significant processing power on all the ports of a switch or router is not cost-effective.
Another disadvantage is that, even if processing power became so cheap as to be deployed freely at every port of a switch or router, a switch or router is optimized to move frames/packets from port to port. It is not optimized to process packets, for applications.
Another disadvantage is that a typical switch or router does not provide the facilities that are necessary for the creation and deployment of sophisticated network infrastructure applications. The services required can be quite extensive and porting an application to run on a switch or router can be very difficult.
Finally, replacing existing network switching equipment with new versions that support new applications can be difficult. It is much more effective to xe2x80x9cadd applicationsxe2x80x9d to the network where needed.
What is needed is an optimized platform for the deployment of sophisticated software applications in a network environment.
The present invention relates to a general-purpose programmable packet processing platform for accelerating network infrastructure applications which have been structured so as to separate the stages of classification and action. A wide variety of embodiments of the present invention are possible and will be understood by those skilled in the art based on the present patent application. In certain embodiments, acceleration is achieved by one or more of the following:
Dividing the steps of packet processing into a multiplicity of pipeline stages and providing different functional units for different stages, thus allowing more processing time per packet and also providing concurrency in the processing of multiple packets,
Providing custom, specialized Classification Engines which are micro-programmed processors optimized for the various functions common in predicate analysis and table searches for these sort of applications, and are each used as pipeline stages in different flows,
Providing a general-purpose microprocessor for executing the arbitrary actions desired by these applications,
Providing a tightly-coupled encryption coprocessor to accelerate common network encryption functions,
Reducing or eliminating the need for the applications to examine the actual contents of the packet, thus minimizing the movement of packet data and the effects of that data movement on the processor""s cache/bus/memory subsystem, and
Either eliminating or providing special hardware to accelerate system overheads common to embedded network applications run on general purpose platforms; this includes special support for managing buffer pools, for communication among units and the passing of buffers between them, and for managing the network interface MACs (media access controllers) without the need for heavyweight device driver programs.
Recognizing a common policy enforcement module for network infrastructure applications
Certain specific embodiments are implemented with one or more of the following features:
a policy enforcement module consisting of Classification and associated Action
both stateless classification and stateful classification which uses sets
Provision of a high level interface to packet level Classification and Action (Action and Classification Engine-ACE)
Provision of the high level interface within common operating environments Policy can be changed dynamically
Application partitioned into an AP module running on the AP (Application Processor) and a PE (Policy Engine) module running on the PE
AP can run operating systems with full services to facilitate application development
PE functionality embodied as software running on AP as well as hardware and software running on the hardware PE
A language interface to describe Classification and to associate Actions with the results of the Classification
Language (NetBoost Classification Language-NCL) for Classification/Action
Object oriented (extensible)
Specific to Classification and hence very simple
Built-in intrinsics such as checksum
Language constructs make it easy to describe layered protocols and protocol fields
Rule construct to associate Classification and Actions
Predicate construct which is a function of packet contents at any layer of any protocol and/or of hash search results
Set construct to describe hash tables and multiple searches on the same hash table
Action code
Written in high level language
Complex packet processing possible
Can avail of Application Services Library (ASL) providing services useful for packet processing
ASL consists of packet management, memory management, time and event management, link level services, packet timestamp service, cryptographic services, communication services to AP module plus extensions
TCP/IP extensions include services such as Network Address Translation (NAT) for IP, TCP and UDP, Checksums, IP fragment reassembly and TCP segment reassembly
System components include
library implementing API (DLL under Windows NT)
a management process called Resolver
an incremental compiler for NCL
linker for NCL code
dynamic linker for action code
operating-system specific drivers which communicate with both hardware and software PEs
software Policy Engine that executes Classification and Action code ASL for Action code
management services (Resolver and Plumber) for both application developer and the end-user
development environment for AP and PE code including compilers, and other software development tools familiar to those skilled in the art
ACE
C++ object which abstracts the packet processing associated with an application or sub-application
Provides a context for Classification and Action
Contains one or more Target objects, including drop and default, which represent packet destinations
Provides a context for upcalls and downcalls between the AP and the PE modules
Targets of an ACE are connected to other ACEs or interfaces using the Plumber (graphical and programmatic interfaces) to specify the serialization of ACE processing
Operating environment for action code
Invokes actions automatically when associated classification succeeds
Implements an ACE context
Low overhead (soft real-time) environment
Handles communication between AP and PE
Performs dynamic linking of action code when ACEs are loaded with new Classification code
Resolver
Maintains namespace of applications, interfaces and ACEs
Maps ACEs to PEs automatically
Contains the compiler for NCL and does dynamic compilation of NCL
Provides the interfaces for management of applications, ACEs and interfaces
Compiler for NCL
Generates code for multiple processors (AP and PE)
Allows incremental compilation of rules
Plumber
Allows interconnection of ACEs
Allow binding to interfaces
Supports secure remote access